419

Number of a Nigerian penal code that is supposed to stop advance fee frauds originating in Nigeria but is patently ineffective.

Access, Access rights

Ability of a user or program to interact with an information asset e.g. to read or write data, send messages over the network etc. Also the ability of a person to enter a building, room, cupboard etc.

Access control

Type of control designed to restrict access to an information asset, permitting authorized access whilst preventing unauthorized access.

Access matrix

Table relating types of user rôle (on one axis) to the IT systems, application functions and/or classes of data (on the other axis), showing the types of access permitted within the body of the matrix.

Accident

Although we tend to think that security incidents result from deliberate acts by hackers, malware etc., most are in fact the result of chance events or accidents.

Accountable, accountability

A person who is held accountable for something is personally responsible for it and may be disciplined if they do not fulfill their obligations.  Unlike responsibility, however, accountability is similar to ownership in that it cannot be delegated from one person to another.  In short, ‘the buck stops here’.

ActiveX

Microsoft technology for interactive Web pages.  Malicious ActiveX controls (a form of malware) may potentially compromise the users’ systems: if the browser security settings allow, even unauthenticated (“unsigned”) ActiveX controls may access files on hard drives. 

Advance fee fraud

Type of fraud in which the fraudster persuades a naïve victim to send money as ‘advance fees’ supposedly to secure a payment which never actually materializes.  Commonly known as a 419 scam.

Adware

Annoying program that displays advertisements etc.  Considered by some to be a form of malware since it is often installed secretly and has undesirable effects that may compromise privacy.

Alarm

Audio/visual warning that a critical condition requiring an urgent high priority response (e.g. fire/smoke, intruder, flood) has occurred.  See also alert.

Alert

Warning that a critical system security event (e.g. audit file full, system shutdown initiated, user authentication failure) has occurred.  Alerts generally require less urgent responses than alarms and so are normally logged for later analysis and follow-up action.

Anonymity

A person’s ability to use systems and networks without disclosing the fact they it is them.  A form of privacy.

Antivirus [program]

Software designed to minimize the risk of malware by detecting, preventing and/or removing various forms of malware infection such as viruses, worms, Trojans etc.

Asset

Something of value to the organization.  May be tangible (e.g. a building, computer hardware) or intangible (e.g. knowledge, experience, know-how, information, software, data).

Attack

Type of information security incident actively and deliberately perpetrated by someone (cf. accident or Act of God).

Attribution

The act of openly acknowledging the originator or owner of IP to avoid claims of plagiarism and copyright abuse.

Audit

Structured process of examination, review, assessment and reporting by one or more competent people who are independent of the situation, system, process, function etc. being audited.

Audit trail

Chronological record of information documenting important events or stages in a business or IT process, such as the system security log typically configured to record successful and failed logons etc.

Authentic

Genuine, verifiable.  The real thing, not counterfeit.

Authentication, authenticate

Process by which an individual user, system etc. is positively identified by another, typically on the basis of something they know (e.g. a password) and sometimes something they have (e.g. a security token) or something they are (biometrics).

Authorization, authorize

Permitted, accepted and/or agreed by management as being in the organization's best interests.

Availability

One of the three core elements of information security, along with confidentiality and integrity. Availability concerns the requirement for information, IT systems, people and processes to be operational and accessible when needed by the organization.

Axiom

A fundamental information security policy requirement, architectural principle or rule.  39 axioms derived from the 39 control objectives defined in ISO/IEC 27002 underpin the organization’s information security policy statements, standards, procedures, guidelines and controls.

Backdoor

Secret function or userID allowing hackers to access a system without proper authorization, bypassing most defenses. Often includes keyloggers and rootkit functions as well.

Backup

Snapshot copy of data and/or programs from an IT system at a given point in time.  Backups provide the ability to restore a system to a known state after an incident.

BHO (Browser Helper Object)

Program that is loaded and runs automatically when the browser is launched.  Malicious BHOs may be spyware.

Biometric

Measurable physical characteristic of a person, such as a fingerprint, iris pattern, retinal pattern, facial shape or voice pattern, that can be used to authenticate and identify the person positively.

Bluetooth

Wireless networking protocol intended for short-range use over a few meters but may be capable of unauthorized interception over longer distances.

Board of Directors
(the Board)

The most senior level of management within the organization with overarching accountability for protecting information assets on behalf of the stakeholders.  The Board delegates responsibility for corporate governance including information security to the Executive Directors.

Bot

Short for ‘robot’.  Networked computer under the remote control of hackers, often compromised using a Trojan.  Also known as zombie.

Botnet

Networks of bots that are used for illegal activities such as spamming, carrying out DoS attacks or as launch pads for hacking other systems.  Botnets comprising up to tens of thousands of compromised machines may be rented on the black market.

Breach

Form of information security incident normally involving deliberate action or inaction by someone, as opposed to accidental causes.

Business critical

Class of information asset that is vitally important to the organization.  A serious information security incident affecting such an asset would probably cause grave impacts e.g. significant financial losses, marked loss of customer/market confidence in the organization, regulatory or legal action against the organization or its directors, often in short order.  See also Tier 1, 2  or 3

Business Impact Assessment (BIA)

Risk analysis process for reviewing the potential business impacts of more or less serious information security incidents affecting IT systems supporting critical business processes, in order to determine the associated availability requirements.

Certification Authority (CA)

Trusted body that digitally signs and issues digital certificates to authenticated users or systems in a PKI.

Certification Practice Statement (CPS)

Formal document defining a given PKI.

Certificate Revocation List (CRL)

A published list of digital certificates that have been revoked by the Certification Authority and are therefore invalid.

Change control

Management process for proposing, reviewing and accepting or rejecting changes to a process, system and/or the associated documentation.

Change management

The totality of activities used to control, direct and document changes to the organization and its associated IT systems, processes etc.

Checkpoint

A static record or snapshot of the state of a computer system, program, database etc. at one point in time to which the system may be rolled-back if necessary.  See also backup.

Chief Security Officer (CSO)

Director with overall responsibility for security, including information and physical security.  Chairs the Security Committee and reports to the Executive Directors.

Class, Classify, Classification

Convenient grouping of similar or related information assets that are likely to share similar information security risks and control requirements.  Classification reduces the need individually to risk assess and identify security controls needed to protect every single asset in each class.  Classification typically relies on confidentiality criteria but more complex schemes may also take account of integrity and availability requirements.

Commit point

Point at which a new, altered or deleted record is actually recorded in a database.  Well-designed database systems incorporate controls such as locks, journaling and checkpoints to maintain data integrity despite incidents that occur before, during or after the commit point.

 Competitive or competitor intelligence

Some people explicitly define these terms to distinguish authentic and ethical means of gathering information on competitors (such as analyzing their public websites) from more illicit ones (such as hacking their websites or other forms of industrial espionage), but there is no clear consensus on the definitions.  Many people use the terms loosely and interchangeably.

Compliance

State of conformance with information security objectives, controls etc. defined internally by the organization in policies etc. and/or externally by third parties (e.g. laws, industry regulations and contractual terms).

Compromise

Verb: to undermine or attack.  Noun: see incident.

CONFIDENTIAL

Class of information that is sensitive and/or business critical and therefore needs to be protected to a reasonable extent.  It is intended for limited distribution within the organization or to specially designated third parties, on a need-to-know (‘default deny’) basis.

Confidentiality

One of the three core elements of information security, along with availability and integrity. Confidentiality essentially concerns secrecy or privacy.

Configuration management

A subset of change management activities specifically relating to changes to IT systems configurations e.g. the implementation of new programs, new versions or altered parameters.

Contingency

Inherently unexpected or unpredictable situation such as a physical disaster (a bomb, plane crash, flood or fire), a serious fraud, virus/worm outbreak etc., which other controls have failed to prevent.  The outcome is contingent (dependent) on the exact nature of the incident and the situation at the time it occurs.

Contingency plan

Forward-thinking approach for managing and organizing resources to cope as well as possible with a contingency situation.  Whereas the nature of the process to be followed during/after an incident depends on the specific situation, contingency plans support the efficient coordination and management of resources under any circumstances.

Control

Something which prevents or reduces the probability of an information security incident (preventive or deterrent control), indicates that an incident has occurred (detective control) and/or minimizes the damage caused by an incident i.e. reduces or limits the impact (corrective control).  An administrative/procedural, technical, managerial, physical or legal means of managing risk.  Controls may reduce information security threats or impacts, although most reduce vulnerabilities.

Control objective

Describes the anticipated business purpose or benefit of an information security control.  Encapsulates the risk in business terms.

Control Self Assessment (CSA)

Regular management review process to assess the status of governance across the organization, including information security and other forms of risk management and control.  Alternatively, a rigorous, highly structured but essentially pointless method for giving auditors the answers they expect to hear whilst at the same time appearing to be Doing Something Positive About Governance.  J

Control total

A value (such as a numeric total or the number of items) that can be used as a simple check for integrity failures, for example to confirm when a data file is transmitted across a system interface or processed that all records sent were received and processed.

Cookie

Small text file sent by a Website to your browser and later retrieved to track your Web browsing habits.  With insecure browser settings, different Websites may share the information in cookies, raising privacy issues.

Copy protection

Technique to restrict the ability of users to copy or use software and other IP except on the original distribution media e.g. using a dongle or other forms of encryption.

Copyright

Legal protection giving the originator/owner of original materials rights over the copying and use of the materials, for example through software licenses.  A form of intellectual property rights.

COTS (Commercial Off The Shelf)

Refers to standard as opposed to bespoke software, typically distributed to the general public through retail outlets in shrink-wrapped packages with generic license agreements.

Counterfeit

Pirated or fake copy of an original asset.  Mass-produced counterfeit software, music CDs and video DVDs are in circulation, many of which appear so authentic that even experts sometimes have difficulty telling them apart from the genuine articles. 

Cracker

Hacker with malicious intent who breaks into networks and systems without the owners’ permission or consent.

Credential

Something a user or system presents to prove (authenticate) their true identity e.g. a passport, password or security token.

Cross Site Scripting (“XSS”)

Web hacking technique in which badly-designed websites (e.g. some bulletin-board systems) with inadequate data entry validation are made to return malicious URLs, HTML, JavaScript or other executable code (malware) to the user’s browser for execution (e.g. to manipulate or disclose their supposedly private cookies or other local data).  Abbreviated to “XSS” to distinguish it from CSS meaning Cascading Style Sheet.

Cryptography, cryptographic, ‘crypto’

The mathematical science behind ‘secret writing’ involving the use of mathematical algorithms to transform readable plaintext into unreadable cyphertext and vice versa.

Cyphertext

Encoded/scrambled string such as HbAKhBsaao)X]*AX551&*S66 that makes no sense to a human reader but which can be transformed into the corresponding plaintext using a cryptographic algorithm and encryption key.

Data

Electronic representations of information within a computer system.  In digital computers, data (and indeed software) are represented by sequences of logical ones and zeros known as bits.

Database (db)

Structured and managed collection of data.  The structure and accumulation of data, along with the software functions to manage, manipulate and report them, usually make databases far more valuable than plain, unmanaged “flat files”.  The most important computer systems are normally databases, hence database security controls such as those protecting data integrity are a vital element of information security.

Data dictionary

Formal description of the data fields of records in a database, ideally including their information security characteristics.

Data miner

Form of malware that covertly collects information on Web users, for example secretly recording data submitted on forms.

DBA Database Administrator

Privileged user who administers (manages) one or more databases.  Normally responsible for configuring, maintaining and tuning databases e.g. setting up user rôles, defining access rights to tables and cells, monitoring security logs etc.

DDoS (Distributed Denial of Service)

Type of DoS attack using numerous attacking systems to amplify the amount of network traffic, thereby flooding and perhaps swamping the target systems or networks.

Deception, deceit

Lying, lie, or deliberate concealment of the truth.

Default deny

Access control principle stating that information should only be released to authenticated individuals if they have a legitimate purpose or reason for using the information, and are authorized to do so.  Also known as need-to-know.

Defense-in-depth

Control principle whereby multiple overlapping or complementary ‘layers’ of control are applied, all of which would have to be breached in order to impact the protected information assets.

Development

Computer environment comprising systems, networks, devices, data and supporting processes that are used by software developers for developing new application systems (cf. production or test environments).

Device

An item of computing or networking equipment, a piece of hardware.

Dialer

Form of malware which tries silently to connect to a premium rate phone number using the computer’s modem.  See also war dialer.

Digital certificate

File containing information about a user or system along with their public key plus a digital signature from the Certification Authority to authenticate the whole certificate.

Digital signature

Cryptographic hash of a message, constructed with the sender’s private key, used to ‘seal’ the document thus revealing any subsequent changes and authenticating it.

Discretionary

Optional i.e. provided or used at someone’s discretion.  Refers to information security controls that are not absolutely mandated by the information security architecture. 

Division of responsibilities

Control requiring the involvement of more than one individual to complete a business process e.g. data entry performed by a member of staff with review and authorization performed by a supervisor or manager.  Normally reinforced by controlled access to the corresponding system functions.  Reduces the possibility of fraud, barring collusion between the individuals, and data entry errors.  Also known as separation or segregation of duties.

DMCA (Digital Millennium Copyright Act)

US law prohibiting technologies/devices used to bypass or defeat software/data copy protection mechanisms.

DMZ
(De-Militarized Zone)

Special network segment between the outer network perimeter and the inner organization network, within which proxy servers and firewalls help to isolate the internal and external networks.

Documented, documentation

Written down, reviewed and approved by management, and used.  Most other documents referenced in the Information Security Policy Manual are relatively formal in nature and are assumed to be under change control, like the manual itself.

Dongle

Copy protection device used to ‘unlock’ (allow access to) software for use on the particular computer into which it is plugged.

DoS (Denial of Service)

Type of information security incident in which availability is impacted, for example by deliberately or accidentally overloading the system or network, thereby interfering with legitimate business processing.  See also DDoS.

DR (Disaster Recovery)

Arrangements to restore IT systems and data supporting critical business functions, often from an alternate location, following a major incident affecting the primary production systems and data.

DRM (Digital Rights Management)

Technological controls using encryption to permit or deny certain types of use of IP according to the copyright owner’s wishes.

Dual-control

Form of control requiring the actions of more than one person, for example when two soldiers have to insert and turn their keys at the same moment to launch a missile.

Emergency intervention

Situation in which a competent support person is specifically authorized by management to modify a system directly, typically through a privileged emergency userID, bypassing the normal system access controls and code migration processes in order to resolve an urgent production issue.

Encryption

Application of cryptography to make information unintelligible to anyone without access to the correct key.

Ethical

Behavior broadly accepted as right and proper, at least in the culture in which it occurs.  Ethical beliefs vary from culture to culture, however.  A practice considered ethical within the hacker community, for example, may not be OK to an ISM.

Exemption

Temporary management-approved relaxation of security policy requirements, provided that compensating controls are implemented (where possible).  The person requesting an exemption remains formally accountable for the residual risk resulting from non-compliance with policy.

Exploit

To take advantage of or use.  A risk is the chance that a threat may exploit a vulnerability causing an impact.

External

Outside the organization’s physical, organizational and network boundary (cf. internal).

Failover

Manual or automated process for transferring resilient IT services between redundant equipment, campuses and/or network routes, providing high availability.

Failsafe

Concept used heavily in safety-critical or high-security system and process designs whereby a control failure leaves the system/process in an inherently safe or secure condition, even if that impairs availability.

Fair use

Copyright laws generally permit limited use of copyright materials without the copyright owner’s explicit permission.  Such fair use exceptions typically allow quoting and summarizing of non-substantial parts of copyright materials and small-scale copying for research and educational purposes.

Fault

Problem with information processing or communications systems including definite or suspected security incident, system failure, program error/bug, virus, other undesirable system operation etc.

Fault tolerance

High-availability design goal that system should survive incidents that would otherwise cause a system failure or unplanned outage.

Firewall

Specialized router specifically configured as a gateway to control logical access to the attached network segments, nodes and devices.

Firmware

Software embedded in a hardware device, typically an EEPROM (Electrically Erasable Programmable Read Only Memory) chip.  A computer’s BIOS (Basic Input Output System) is an example: BIOS firmware normally checks the machine’s hardware for faults and loads the boot loader part of the main operating system.  Any malware in firmware is likely to have complete control of the system since it is inherently trusted by the operating system and other software.

FMEA (Failure Mode
and Effects Analysis)

Engineering method to analyze potential failure modes, and the effects of such failures, on a system.  Used to identify potential reliability problems early in the software or hardware development lifecycle and identify options to mitigate the failures.  Helps design more resilient systems.

Fraud

Theft or similar crime involving deliberate deception by a fraudster, for example assuming someone else’s name (identity theft) or promising a large payout on receipt of an advance fee.

Fraudster

Deceitful person who commits fraud.  Sometimes incorrectly known as “the fraud”.

Governance

Comprises the entire management framework or structure for controlling and directing the organization, including information security and other controls.

Guideline

Written guidance explaining how certain information security controls operate.  Despite the name, many of the controls noted in guidelines directly support security axioms and policy statements and are therefore mandatory.  Guidelines also contain supplementary information to help employees apply the controls properly.

Hacker